From owner-freebsd-questions@freebsd.org Sun Mar 19 20:04:47 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D23FD13DCD for ; Sun, 19 Mar 2017 20:04:47 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BB4E1A5E; Sun, 19 Mar 2017 20:04:47 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yw0-x233.google.com with SMTP id v198so79022107ywc.2; Sun, 19 Mar 2017 13:04:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rz9jkfuGyFq8g2EtJbBSKF+hGQekC8SmaWfcc+jeY14=; b=gIKalDgPQaqQyr0++6ptcI/hNXGCeqgXXrrd2dojd6/fuK3/8n+hOEKTbh52YTFzRg 13ZOUfBlkxGKFkss27uaWcO2Ti1lX42ZugcMmKC7NuD9TGQuWFhYcSm55AcKC1hDJzn8 1IKt17UjDNkUI2AgXY3TehSgUSgLYtCiI1djS4A7ZAgl8aJ2joimtC7kpeIZ0IwcR3h5 CHRe8o6QgtVxGQrGq+2TboccwjbWTLyUdO5YtLrv7ciR/Xq4k+xSuRXVy65h24rYGFsY AG2lxExxj3TFF65eyAB18Ylxz4mWJFwN63ap0bQVRXdE+5+xdvOfBrmhtKFnoZj5ozec F9+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rz9jkfuGyFq8g2EtJbBSKF+hGQekC8SmaWfcc+jeY14=; b=YauF84Iwa5djvAiQaEIUYKu9ejPzytPnEui94dB/cdpKE+Sa+OdqHY5S/BT/fSJhE7 vkh8RsPgaqU4Ss7TAkd5Yc3pjlKsi7ZrYaD0/fGS+eLzWWAfzLXmF0UplpZxx7U2Y9W8 2vLaFzH7K1DQDj0ZFBvcnnyX1BLpzB50r1H8wCAifhiKfPuTgAd/Lm77FlOuYEU0G4jV NWorRKVsYqQy+cOdPMzzuBuQ1gTU1RO2Jn7NvB3PltOSBhMWYE60QuSFTlcSLQfSuYzx kVSrwcaKiTa23asdxWPR5KlPn2SDPvOWvo7xcQbXhTKBVNZJlNz3bMTPA0j892rRX4wI XLkg== X-Gm-Message-State: AFeK/H28pR6Vub4c09QZyjvEPs8vq8hMyC64vKu2ypmUyL56MUtxK7lgoPpARzCRdkIF8BYR83Hfi/6PBpFQYA== X-Received: by 10.129.72.199 with SMTP id v190mr12312741ywa.22.1489953886085; Sun, 19 Mar 2017 13:04:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.171.199 with HTTP; Sun, 19 Mar 2017 13:04:45 -0700 (PDT) In-Reply-To: References: From: William Dudley Date: Sun, 19 Mar 2017 16:04:45 -0400 Message-ID: Subject: Re: how do I get STARTTLS working with sendmail on FreeBSD 10.3 ? To: Matthew Seaman Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Mar 2017 20:04:47 -0000 I have all of the stuff you referenced in my ${hostname}.mc. I have a dh.param in /etc/mail/certs And yet, telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.casano.com ESMTP Sendmail 8.15.2/8.15.2; Sun, 19 Mar 2017 16:02:48 -0400 (EDT) ehlo localhost 250-mail.casano.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.casano.com closing connection Connection closed by foreign host. in which STARTTLS is conspicuous by it's absence. Surely I am missing some crucial, undocumented step. Is there anything else I should check? Thanks, Bill Dudley This email is free of malware because I run Linux. On Sun, Mar 19, 2017 at 10:34 AM, Matthew Seaman wrote: > On 18/03/2017 22:44, William Dudley wrote: > > A google search does not reveal a useful answer. > > > > I just want to use a self-signed certificate so I can get my email from > my > > FreeBSD mail server to my cell phone. My FreeBSD server runs sendmail. > > I don't really want to switch to postfix, qmail, etc. etc. > > Hmm... STARTTLS capability is enabled by default in freebsd.mc in 11.0 > -- I think it might be on 10.3 as well. > > Anyhow, you need the following sort of thing in your ${hostname}.mc -- > > define(`CERT_DIR', `/etc/mail/certs')dnl > define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl > define(`confSERVER_KEY', `CERT_DIR/host.key')dnl > define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl > define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl > define(`confCACERT', `CERT_DIR/cacert.pem')dnl > define(`confCACERT_PATH', `CERT_DIR')dnl > define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl > > and you need to create all of the host.key and host.cert and cacert.pem > and dh.param files. That's mostly covered here: > > http://www.sendmail.org/~ca/email/other/cagreg.html > > Note that for e-mail purposes you don't generally need a certificate > signed by a well known CA -- just self signed is fine. With e-mail, > it's more important to ensure privacy in transit rather than to identify > the party you're corresponding with. > > The dh.param file you can generate by: > > openssl dHParam -outform PEM -out dh.param 2048 > > IIRC adding all this will allow your sendmail install to support > STARTTLS, but not make it require STARTTLS. I believe there's a > DAEMON_OPTIONS setting to achieve that, but I'd need to look that up. > Get hold of the O'Reilly sendmail book if you're interested -- it has > details of all this stuff. > > Cheers, > > Matthew > > >